Transcript of "9 reasons-to-ensure-pci-compliance-web"

1.
Article | Bit9 Retail and hospitality
As a retail security professional, you are challenged with
maintaining a constant state of PCI compliance and keeping
your infrastructure safe using best-of-breed security solutions
that help, rather than hinder, your quest to validate your sys-
tems. Endpoint protection that is based on detecting known
malware is demonstrably ineffective—and has the potential
to create numerous inefficiencies across your organization. In
addition, constant updating of security patches and antivirus
software libraries can slow response times and leave end-
points vulnerable to APT attacks. Besides potential breaches
of your customers’personal information, as well as damage
to your brand, a lack of endpoint control can also put you at
risk for steep PCI noncompliance and regulatory penalties—
fines that can range anywhere from $10,000 to $100,000 per
month.
Here are nine strategies to think about when looking to take
control of your security and reduce the burden of achieving
and maintaining PCI compliance.
Nine Ways
1. Understand What’s In and Out of
Scope
2. 100 Percent Detection During Your
Entire Transactional Process
3. Defense in Depth: Protect Your
Enterprise on Multiple Levels
4. Ease Your Scanning Overhead While
Controlling Your Store Systems
5. Take Back Your Processing Power
6. Use Real-Time Sensors to Streamline
Your Testing and Vulnerability
Collection Process
7. Gain Visibility and Build Measurable
Business Intelligence Around the
Enterprise Assets
8. Protect what matters most with
change control.
9. Educate and advise the business of
the security and regulatory policies.

2.
Understand What’s In and Out of
Scope
To control costs and minimize the administrative
burden during the PCI compliance validation process,
IT professionals spend time segmenting their network
infrastructure in order to understand which sections
of the enterprise are in scope for PCI. The idea is to
segment out non-relevant PCI data and avoid the
increased complexity of the compliance metrics against
which the in-scope data is held. Providing full visibility
and monitoring of all of your enterprise assets, along
with templates to determine which data is PCI relevant,
you can gain a quick snapshot of the corporate assets
that are affected by compliance. This not only makes the
task of deciding which sectors within the scope of PCI
compliance are of immediate concern an easier one, but
it also aids in streamlining the process associated with
audit and data collection.
100 Percent Detection During
Your Entire Transactional Process
What if you could maintain compliance throughout
every point in a transactional process? The ability to
instantly detect transactional data-point infractions
and prevent anything from being introduced to the
system that’s outside of known and trusted software
(such as advanced threats) will enable organizations to
ensure that transactional data is protected at every stage
in the processing.
Defense in Depth: Protect Your
Enterprise on Multiple Levels
For a complete security solution, and to meet PCI
compliance requirements, IT professionals need to
ensure that they have a defense in depth strategy which
makes certain that every window of opportunity to
exploit their store systems, workstations and servers is
kept closed. Protecting your infrastructure on multiple
levels, collecting information about your endpoints in
real time, and the availability of a multitude of asset
information to assess the risk that any asset has to the
organization’s security and compliance is fundamental to
meeting that compliance.
Take, as an analogy, a home security system. The system
likely has both a door sensor and a motion sensor to
detect the threat of someone entering either through
the door or perhaps coming in through the window.
The strength of this system is that if one mechanism
doesn’t catch the threat, the other will. The same holds
true for defense in depth when considering certain PCI
requirements.
Ease Your Scanning Overhead
While Controlling Your Store
Systems
In order to meet PCI compliance, retailers must maintain
a real-time inventory of all of their endpoints and
servers and remain in control of their security. Using a
combination of real-time sensors, cloud-based software
reputation services, continuous monitoring, and a
trust-based security platform, you’ll eliminate antivirus
scans, free up processing power, and extend the lifecycle
of your store systems. Additionally, you will have the
benefit of scheduling security patches on your own
timetable rather than under the schedule of the OS or
the compliance regulations, and you’ll reduce the risk of
compliance vulnerabilities.
Take Back Your Processing Power
Robust performance at the endpoint is critical to the
success of adequate data collection, visibility across the
enterprise, and security control. In order to maintain PCI
compliance, it’s necessary to gain actionable intelligence
on all of the critical file assets, applications, and data
running on the endpoints, while avoiding the bottleneck
that can be caused when constant scanning is applied
to the collection of the intelligence. If you can set an
1
2
3
4
5

3.
96% of victims subject to
PCI DSS had not achieved
compliance
(verizon data breach investigations report)
established baseline for the software inventory on the
endpoints, you can return much-needed processing
cycles to the endpoint and maintain the full
required visibility and control to ensure compliance.
You then negate the need for constant performance-
consuming profile scanning, which often brings the
endpoint to a halt.
Use Real-Time Sensors to
Streamline Your Testing and
Vulnerability Collection Process
By maintaining continuous, real-time file integrity
monitoring and control, you can protect your critical
configuration files from unauthorized changes to meet
file integrity monitoring and audit trail rules. You’ll be
able to identify all suspected vulnerabilities across your
enterprise and proactively take action against specific
versions and types of files based on your organization’s
policies.
By adding individual file rights and approvals into the
trust metrics for the organization, you will have complete
visibility into all changes and possible new vulnerabilities
that may be introduced with software updates. This
increased visibility will provide a wealth of information
for the penetration test and will expose all known and
potential vulnerabilities which can be provided prior to
the commencement of testing. It will also help to define
the penetration tests that will be undertaken because
the coordinates can be created against a set of known
possibilities rather than against a negative set of data.
Gain Visibility and Build
Measurable Business Intelligence
Around the Enterprise Assets
What if you could measure the security risk that any
particular asset has on your organization at any given
point in time? By understanding and having visibility
into real-time file asset inventory information, you
can build intelligence around all of your file assets,
including their prevalence, trust rating, threat, and
inherited vulnerabilities. Having this high-level visibility
will enhance your ability to report to the fullest on any
asset, be it at audit time, pre-compliance assessment, or
security intelligence gathering. It allows businesses to
take a proactive stance against anything running within
their enterprise and to sift out anything that is deemed
untrustworthy or that could have a negative effect on
their compliance and security posture.
Protect what matters most with
change control
A full audit trail of all significant PCI data and the
surrounding events associated with the attempted
file alteration is required for auditors to quickly assess
compliance and to produce the necessary reporting for
compliance validation. However, the number of changes
that you may have to monitor can result in a significant
administrative burden.
One solution is to utilize a security solution that is
trust based, one that allows you to prevent changes
to critical assets and greatly reduce the administrative
work needed to sort through all of the expected or
unexpected changes. This approach also greatly narrows
the scope of ensuring the security and compliance
aspects of PCI as it enables the collection and tracking of
all compelling in-scope PCI-affected assets.
6
7
8
Only 76% of advanced
malware is actually detected
by antivirus solutions
(Gartner- Burton IT1 Research. Application Control and
Whitelisting for Endpoints, March 10, 2011)